Corporate boards overconfident despite worsening cyber claims

Claims data showed that ransomware attacks averaged a loss of $2.7m.

Corporate boards are overestimating their cyber readiness, with actual losses proving longer and costlier than expected, according to Willis’ Cyber in Focus 2025 report. 

The study, based on 4,650 cyber claims and board-level data, found that cyber incidents are lasting longer and causing greater financial damage than leaders anticipate: a key concern for insurers as cyber risks escalate.

Claims data showed that ransomware attacks result in a median 24-day outage and an average loss of $2.7m, far exceeding most corporate expectations. 

The report also found that half of all data breaches originate from third-party vendors, highlighting growing exposure to supplier-related risks, a trend insurers are monitoring closely.

Willis noted that whils many boards claim to have cyber response plans, only 68% tested them in the past year, a factor that could affect insurability and premium terms as underwriters increasingly demand proof of resilience in practice, not just on paper.

In Asia-Pacific, new regulations in Australia, Singapore, and Hong Kong are tightening governance, disclosure, and incident response requirements, creating additional pressure on insureds to demonstrate compliance and operational readiness.

The report also found that public companies account for 36% of total global cyber losses, despite representing a smaller share of total incidents. 

The largest single claim reached $331m, underscoring the financial severity of recent cases. Emerging risks such as deepfakes, synthetic identities, and generative malware are already contributing to fraud-related claims.

Ben DiMarco, Cyber & Technology Industry Leader, Pacific, at Willis, said insurers are increasingly scrutinising companies’ cyber hygiene, vendor management, and incident response testing as part of their underwriting assessments.